From 209c43ebbc5300133f3d72158c5cdd6e088a4882 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 19 Jan 2018 22:49:06 -0500 Subject: [PATCH] Centralize password hashing in Model\User --- mod/lostpass.php | 7 +++---- mod/settings.php | 13 +++++------- src/Model/User.php | 52 +++++++++++++++++++++++++++++++++++++++++++--- 3 files changed, 57 insertions(+), 15 deletions(-) diff --git a/mod/lostpass.php b/mod/lostpass.php index 5934556a8e..abe67f2de2 100644 --- a/mod/lostpass.php +++ b/mod/lostpass.php @@ -7,6 +7,7 @@ use Friendica\App; use Friendica\Core\System; use Friendica\Database\DBM; +use Friendica\Model\User; require_once 'include/boot.php'; require_once 'include/enotify.php'; @@ -84,10 +85,8 @@ function lostpass_content(App $a) return $o; } - $new_password = autoname(6) . mt_rand(100, 9999); - $new_password_encoded = hash('whirlpool', $new_password); - - $result = dba::update('user', ['password' => $new_password_encoded, 'pwdreset' => ''], ['uid' => $user['uid']]); + $new_password = User::generateNewPassword(); + $result = User::updatePassword($user['uid'], $new_password); if (DBM::is_result($result)) { $tpl = get_markup_template('pwdreset.tpl'); $o .= replace_macros($tpl, diff --git a/mod/settings.php b/mod/settings.php index a5a4d4ad50..5193c4a046 100644 --- a/mod/settings.php +++ b/mod/settings.php @@ -2,14 +2,15 @@ /** * @file mod/settings.php */ + use Friendica\App; use Friendica\Content\Feature; use Friendica\Content\Nav; use Friendica\Core\Addon; -use Friendica\Core\System; -use Friendica\Core\Worker; use Friendica\Core\Config; use Friendica\Core\PConfig; +use Friendica\Core\System; +use Friendica\Core\Worker; use Friendica\Database\DBM; use Friendica\Model\GContact; use Friendica\Model\Group; @@ -391,12 +392,8 @@ function settings_post(App $a) } if (!$err) { - $password = hash('whirlpool', $newpass); - $r = q("UPDATE `user` SET `password` = '%s' WHERE `uid` = %d", - dbesc($password), - intval(local_user()) - ); - if (DBM::is_result($r)) { + $result = User::updatePassword(local_user(), $newpass); + if (DBM::is_result($result)) { info(t('Password changed.') . EOL); } else { notice(t('Password update failed. Please try again.') . EOL); diff --git a/src/Model/User.php b/src/Model/User.php index 862a9d4084..0979c2275d 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -142,7 +142,7 @@ class User return false; } - $password_hashed = hash('whirlpool', $password); + $password_hashed = self::hashPassword($password); if ($password_hashed !== $user['password']) { return false; @@ -151,6 +151,52 @@ class User return $user['uid']; } + /** + * Generates a human-readable random password + * + * @return string + */ + public static function generateNewPassword() + { + return autoname(6) . mt_rand(100, 9999); + } + + /** + * Global user password hashing function + * + * @param string $password + * @return string + */ + private static function hashPassword($password) + { + return hash('whirlpool', $password); + } + + /** + * Updates a user row with a new plaintext password + * + * @param int $uid + * @param string $password + * @return bool + */ + public static function updatePassword($uid, $password) + { + return self::updatePasswordHashed($uid, self::hashPassword($password)); + } + + /** + * Updates a user row with a new hashed password. + * Empties the password reset token field just in case. + * + * @param int $uid + * @param string $pasword_hashed + * @return bool + */ + private static function updatePasswordHashed($uid, $pasword_hashed) + { + return dba::update('user', ['password' => $pasword_hashed, 'pwdreset' => ''], ['uid' => $uid]); + } + /** * @brief Catch-all user creation function * @@ -290,8 +336,8 @@ class User throw new Exception(t('Nickname is already registered. Please choose another.')); } - $new_password = strlen($password) ? $password : autoname(6) . mt_rand(100, 9999); - $new_password_encoded = hash('whirlpool', $new_password); + $new_password = strlen($password) ? $password : User::generateNewPassword(); + $new_password_encoded = self::hashPassword($new_password); $return['password'] = $new_password;